Range of targets makes Russia top suspect
According to SecureWorks’ researcher Tom Finney, the targeting of US politics was only a small proportion of the overall targeting.
“It is difficult to reasonably conclude that any other country apart from Russia would have an interest in the range of targets,” he said.
Most of the targeted accounts, said Finney, are linked to intelligence gathering or information control in Russia or former Soviet states.
“The majority of the activity appears to focus on Russia’s military involvement in eastern Ukraine; for example, the email address targeted by the most phishing attempts (nine) was linked to a spokesperson for the Ukrainian prime minister.
Other targets included individuals in political, military, and diplomatic positions in former Soviet states, as well as journalists, human rights organisations, and regional advocacy groups in Russia,” he said.
The researchers found that more than half of the targeted authors and journalists are Russia or Ukraine subject matter experts, making it likely that the Russian state has an interest in how it is portrayed in the media.
US-based military spouses who wrote online content about the military and military families were also targeted, indicating that the threat actors may have been attempting to learn about broader military issues in the US or gain operational insight into the military activity of the target’s spouse, said Finney.
“We also identified individuals who were likely targeted due to their position in the supply chain of organisations of interest to Fancy Bear/Iron Twilight,” he said.
“The targets included a systems engineer working on a military simulation tool, a consultant specialising in unmanned aerial systems, an IT security consultant working for Nato, and a director of federal sales for the security arm of a multinational technology company. The threat actors likely aimed to exploit the individuals’ access to and knowledge of government clients’ information.”
The researchers believe the cyber campaign is also likely to have targeted current and former military and government personnel for potential operational insight gained from access to their personal communications.
“Most of the activity focused on individuals based in the US or working in Nato-linked roles. It also targeted high-profile Syrian rebel leaders, including a leader of the Syrian National Coalition,” said Finney.
“Russian forces have supported Syrian president Bashar al-Assad’s regime since September 2015, so it is likely the threat actors are seeking to gain intelligence on rebel forces to assist Russian and Assad regime military operations,” he said.